mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 23:23:57 +02:00
feat(tee-proof-verifier): add support for Solidity-compatible pubkey in report_data
This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - https://github.com/matter-labs/zksync-era/pull/3414 - https://github.com/matter-labs/teepot/pull/228
This commit is contained in:
Patryk Bęza
parent
b81d76c607
commit
a74e5b2ebc
9 changed files with 155 additions and 49 deletions
|
|
@ -15,7 +15,6 @@ clap.workspace = true
|
|||
hex.workspace = true
|
||||
rand.workspace = true
|
||||
secp256k1.workspace = true
|
||||
sha3.workspace = true
|
||||
teepot.workspace = true
|
||||
tracing.workspace = true
|
||||
tracing-log.workspace = true
|
||||
|
|
|
|||
|
|
@ -8,9 +8,9 @@
|
|||
|
||||
use anyhow::{Context, Result};
|
||||
use clap::Parser;
|
||||
use secp256k1::{rand, PublicKey, Secp256k1, SecretKey};
|
||||
use sha3::{Digest, Keccak256};
|
||||
use secp256k1::{rand, Secp256k1};
|
||||
use std::{ffi::OsString, os::unix::process::CommandExt, process::Command};
|
||||
use teepot::ethereum::public_key_to_ethereum_address;
|
||||
use teepot::quote::get_quote;
|
||||
use tracing::error;
|
||||
use tracing_log::LogTracer;
|
||||
|
|
@ -29,19 +29,6 @@ struct Args {
|
|||
cmd_args: Vec<OsString>,
|
||||
}
|
||||
|
||||
/// Converts a public key into an Ethereum address by hashing the encoded public key with Keccak256.
|
||||
pub fn public_key_to_address(public: &PublicKey) -> [u8; 20] {
|
||||
let public_key_bytes = public.serialize_uncompressed();
|
||||
|
||||
// Skip the first byte (0x04) which indicates uncompressed key
|
||||
let hash: [u8; 32] = Keccak256::digest(&public_key_bytes[1..]).into();
|
||||
|
||||
// Take the last 20 bytes of the hash to get the Ethereum address
|
||||
let mut address = [0u8; 20];
|
||||
address.copy_from_slice(&hash[12..]);
|
||||
address
|
||||
}
|
||||
|
||||
fn main_with_error() -> Result<()> {
|
||||
LogTracer::init().context("Failed to set logger")?;
|
||||
|
||||
|
|
@ -54,7 +41,7 @@ fn main_with_error() -> Result<()> {
|
|||
let mut rng = rand::thread_rng();
|
||||
let secp = Secp256k1::new();
|
||||
let (signing_key, verifying_key) = secp.generate_keypair(&mut rng);
|
||||
let ethereum_address = public_key_to_address(&verifying_key);
|
||||
let ethereum_address = public_key_to_ethereum_address(&verifying_key);
|
||||
let tee_type = match get_quote(ethereum_address.as_ref()) {
|
||||
Ok((tee_type, quote)) => {
|
||||
// save quote to file
|
||||
|
|
@ -99,6 +86,8 @@ fn main() -> Result<()> {
|
|||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use secp256k1::{PublicKey, Secp256k1, SecretKey};
|
||||
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
|
|
@ -110,7 +99,7 @@ mod tests {
|
|||
let secret_key = SecretKey::from_slice(&secret_key_bytes).unwrap();
|
||||
let public_key = PublicKey::from_secret_key(&secp, &secret_key);
|
||||
let expected_address = hex::decode("627306090abaB3A6e1400e9345bC60c78a8BEf57").unwrap();
|
||||
let address = public_key_to_address(&public_key);
|
||||
let address = public_key_to_ethereum_address(&public_key);
|
||||
|
||||
assert_eq!(address, expected_address.as_slice());
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,5 +12,6 @@ anyhow.workspace = true
|
|||
clap.workspace = true
|
||||
hex.workspace = true
|
||||
secp256k1.workspace = true
|
||||
sha3.workspace = true
|
||||
teepot.workspace = true
|
||||
zksync_basic_types.workspace = true
|
||||
|
|
|
|||
|
|
@ -5,10 +5,13 @@
|
|||
|
||||
use anyhow::{Context, Result};
|
||||
use clap::{Args, Parser, Subcommand};
|
||||
use secp256k1::{ecdsa::Signature, Message, PublicKey};
|
||||
use core::convert::TryInto;
|
||||
use hex::encode;
|
||||
use secp256k1::{Message, PublicKey};
|
||||
use std::{fs, io::Read, path::PathBuf, str::FromStr, time::UNIX_EPOCH};
|
||||
use teepot::{
|
||||
client::TcbLevel,
|
||||
ethereum::recover_signer,
|
||||
quote::{error, tee_qv_get_collateral, verify_quote_with_collateral, QuoteVerificationResult},
|
||||
};
|
||||
use zksync_basic_types::H256;
|
||||
|
|
@ -87,14 +90,25 @@ fn verify_signature(
|
|||
let reportdata = "e_verification_result.quote.get_report_data();
|
||||
let public_key = PublicKey::from_slice(reportdata)?;
|
||||
println!("Public key from attestation quote: {}", public_key);
|
||||
let signature_bytes = fs::read(&signature_args.signature_file)?;
|
||||
let signature = Signature::from_compact(&signature_bytes)?;
|
||||
let root_hash_msg = Message::from_digest_slice(&signature_args.root_hash.0)?;
|
||||
if signature.verify(&root_hash_msg, &public_key).is_ok() {
|
||||
println!("Signature verified successfully");
|
||||
} else {
|
||||
println!("Failed to verify signature");
|
||||
}
|
||||
let signature_bytes: &[u8] = &fs::read(&signature_args.signature_file)?;
|
||||
let ethereum_address_from_quote = "e_verification_result.quote.get_report_data()[..20];
|
||||
let root_hash_bytes = signature_args.root_hash.as_bytes();
|
||||
let root_hash_msg = Message::from_digest_slice(root_hash_bytes)?;
|
||||
let ethereum_address_from_signature =
|
||||
recover_signer(&signature_bytes.try_into()?, &root_hash_msg)?;
|
||||
let verification_successful = ethereum_address_from_signature == ethereum_address_from_quote;
|
||||
|
||||
println!(
|
||||
"Signature '{}' {}. Ethereum address from attestation quote: {}. Ethereum address from signature: {}.",
|
||||
encode(signature_bytes),
|
||||
if verification_successful {
|
||||
"verified successfully"
|
||||
} else {
|
||||
"verification failed"
|
||||
},
|
||||
encode(ethereum_address_from_quote),
|
||||
encode(ethereum_address_from_signature)
|
||||
);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -4,16 +4,17 @@
|
|||
use crate::{args::AttestationPolicyArgs, client::JsonRpcClient};
|
||||
use anyhow::{Context, Result};
|
||||
use hex::encode;
|
||||
use secp256k1::{constants::PUBLIC_KEY_SIZE, ecdsa::Signature, Message, PublicKey};
|
||||
use secp256k1::Message;
|
||||
use teepot::{
|
||||
client::TcbLevel,
|
||||
ethereum::recover_signer,
|
||||
quote::{
|
||||
error::QuoteContext, tee_qv_get_collateral, verify_quote_with_collateral,
|
||||
QuoteVerificationResult, Report,
|
||||
},
|
||||
};
|
||||
use tracing::{debug, info, warn};
|
||||
use zksync_basic_types::{L1BatchNumber, H256};
|
||||
use zksync_basic_types::L1BatchNumber;
|
||||
|
||||
pub async fn verify_batch_proof(
|
||||
quote_verification_result: &QuoteVerificationResult,
|
||||
|
|
@ -27,22 +28,38 @@ pub async fn verify_batch_proof(
|
|||
}
|
||||
|
||||
let batch_no = batch_number.0;
|
||||
|
||||
let public_key = PublicKey::from_slice(
|
||||
"e_verification_result.quote.get_report_data()[..PUBLIC_KEY_SIZE],
|
||||
)?;
|
||||
debug!(batch_no, "public key: {}", public_key);
|
||||
|
||||
let root_hash = node_client.get_root_hash(batch_number).await?;
|
||||
debug!(batch_no, "root hash: {}", root_hash);
|
||||
let ethereum_address_from_quote = "e_verification_result.quote.get_report_data()[..20];
|
||||
let signature_bytes: &[u8; 65] = signature.try_into()?;
|
||||
let root_hash_bytes = root_hash.as_bytes();
|
||||
let root_hash_msg = Message::from_digest_slice(root_hash_bytes)?;
|
||||
let ethereum_address_from_signature = recover_signer(signature_bytes, &root_hash_msg)?;
|
||||
let verification_successful = ethereum_address_from_signature == ethereum_address_from_quote;
|
||||
debug!(
|
||||
batch_no,
|
||||
"Root hash: {}. Ethereum address from the attestation quote: {}. Ethereum address from the signature: {}.",
|
||||
root_hash,
|
||||
encode(ethereum_address_from_quote),
|
||||
encode(ethereum_address_from_signature),
|
||||
);
|
||||
|
||||
let is_verified = verify_signature(signature, public_key, root_hash)?;
|
||||
if is_verified {
|
||||
info!(batch_no, signature = %encode(signature), "Signature verified successfully.");
|
||||
if verification_successful {
|
||||
info!(
|
||||
batch_no,
|
||||
signature = encode(signature),
|
||||
ethereum_address = encode(ethereum_address_from_quote),
|
||||
"Signature verified successfully."
|
||||
);
|
||||
} else {
|
||||
warn!(batch_no, signature = %encode(signature), "Failed to verify signature!");
|
||||
warn!(
|
||||
batch_no,
|
||||
signature = encode(signature),
|
||||
ethereum_address_from_signature = encode(ethereum_address_from_signature),
|
||||
ethereum_address_from_quote = encode(ethereum_address_from_quote),
|
||||
"Failed to verify signature!"
|
||||
);
|
||||
}
|
||||
Ok(is_verified)
|
||||
Ok(verification_successful)
|
||||
}
|
||||
|
||||
pub fn verify_attestation_quote(attestation_quote_bytes: &[u8]) -> Result<QuoteVerificationResult> {
|
||||
|
|
@ -85,12 +102,6 @@ pub fn log_quote_verification_summary(quote_verification_result: &QuoteVerificat
|
|||
);
|
||||
}
|
||||
|
||||
fn verify_signature(signature: &[u8], public_key: PublicKey, root_hash: H256) -> Result<bool> {
|
||||
let signature = Signature::from_compact(signature)?;
|
||||
let root_hash_msg = Message::from_digest_slice(&root_hash.0)?;
|
||||
Ok(signature.verify(&root_hash_msg, &public_key).is_ok())
|
||||
}
|
||||
|
||||
fn is_quote_matching_policy(
|
||||
attestation_policy: &AttestationPolicyArgs,
|
||||
quote_verification_result: &QuoteVerificationResult,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue